· 7 min read

Eight Control Points US Cloud Providers Hold Over European Businesses (and Which Ones to Fix First)

EU data residency solves one problem. But US cloud providers retain control over identity, encryption keys, DNS, update schedules, and more. A detailed look at each control point and the European alternatives that exist.

Digital Sovereignty Security EU Alternatives

European organisations that choose EU data centres for their Microsoft 365 or Google Workspace deployments often believe they have addressed their sovereignty exposure. The data is in the EU. The box is ticked.

But data location is only one of many control points a cloud provider holds over your organisation. Even with EU-hosted data, a US provider retains administrative access, controls the encryption keys, operates the identity layer, and can push updates or policy changes without your consent. The CLOUD Act (18 U.S.C. §2713) gives US law enforcement the legal authority to compel data disclosure regardless of where the data is physically stored.

This post maps eight specific control points that US cloud providers retain over European businesses, explains why each one matters, and identifies where European alternatives exist today.

1. Identity and Authentication

When Azure Active Directory (Entra ID) or Google Workspace serves as your identity provider, every login request in your organisation passes through US-controlled infrastructure. This includes SSO connections to third-party applications, MFA challenges, conditional access evaluations, and session management.

If the identity provider becomes unavailable, whether through an outage, a sanctions decision, or a policy change, every connected application stops working. Not just the provider’s own tools, but every third-party application connected via SAML or OIDC.

European alternatives: Keycloak (open source, Red Hat-backed, self-hosted or EU-hosted), Authentik (open source, Dutch-founded), Kanidm (open source, Rust-based). All support SAML 2.0, OIDC, and LDAP.

Migration difficulty: Hard. Requires remapping every SSO connection, every conditional access policy, and every device trust relationship. Plan 3 to 6 months for a 25-person organisation.

2. Encryption Key Management

Microsoft and Google both offer customer-managed encryption keys (CMEK) and, in some cases, bring-your-own-key (BYOK) options. But the default deployment, which the vast majority of organisations use, leaves encryption keys under the provider’s control.

This means the provider can decrypt your data at rest. And because the CLOUD Act applies to data the provider can access, not just data it stores, key control is directly relevant to jurisdictional exposure.

Even CMEK deployments have limitations. Microsoft’s “Double Key Encryption” and Google’s “Client-side Encryption” add a customer-controlled key layer, but they reduce functionality (search, indexing, co-authoring may not work on client-side encrypted content) and require significant operational overhead.

European alternatives: Self-hosted solutions where you hold all keys by default: Nextcloud (file storage), Proton Mail (email, Swiss jurisdiction), Tutanota/Tuta (email, German jurisdiction), Cryptpad (collaborative editing with zero-knowledge encryption).

3. DNS and Domain Resolution

DNS is the first step in every network request. If your DNS provider is Cloudflare (US), AWS Route 53 (US), or Google Cloud DNS (US), a US company mediates which servers your users and customers reach.

DNS is also a single point of failure. If the DNS provider goes down or blocks your domain, your website, email, and every internet-facing service become unreachable. This is not theoretical: Cloudflare has experienced multiple significant outages, including the June 2022 incident that affected thousands of sites across 19 data centres (Cloudflare incident report, June 21, 2022).

European alternatives: Gcore (Luxembourg), Hetzner DNS (Germany), deSEC (Germany, non-profit, DNSSEC-focused), self-hosted with PowerDNS or Knot DNS.

Migration difficulty: Easy. DNS migration is straightforward and can be done with zero downtime using standard TTL management.

4. Email Transport and Storage

Email is the most commonly discussed sovereignty concern, and for good reason. Email often contains contracts, financial information, personnel data, legal correspondence, and client communications. All of this sits in Exchange Online or Gmail, under the provider’s administrative control.

Beyond storage, the provider also controls email transport. Mail flow rules, spam filtering, DKIM signing, and DMARC reporting all run on the provider’s infrastructure. The provider can read, scan, index, and (under legal compulsion) disclose any message.

Microsoft’s EU Data Boundary, announced in 2022 and progressively rolled out since, addresses data residency but does not change the legal jurisdiction of the company that controls the infrastructure.

European alternatives: Proton Mail for Business (Swiss, end-to-end encrypted), Tuta Teams (German, end-to-end encrypted), Open-Xchange (German, used by major EU telcos including 1&1 and T-Online), Mailcow (open source, self-hosted).

Migration difficulty: Easy to Medium. Email is a standardised protocol (IMAP/SMTP). The migration itself is well-understood. Complexity comes from calendar integrations, shared mailboxes, distribution lists, and mail flow rules.

5. Update and Feature Control

Cloud providers push updates continuously. You cannot choose to stay on a previous version of Teams, Outlook, or Google Docs. Feature changes, UI redesigns, and policy updates arrive on the provider’s schedule, not yours.

This creates a dependency that is easy to overlook but operationally significant. When Microsoft removed the ability to create classic Teams channels in favour of the new Teams architecture, organisations that had built workflows around classic Teams had no choice but to adapt. When Google deprecated Google Hangouts and migrated users to Google Meet, organisations had no ability to delay or decline.

For regulated organisations, forced updates are particularly problematic. A change in how data is processed, stored, or transmitted may affect your GDPR Data Protection Impact Assessment (DPIA) or your NIS2 risk assessment. You may not even know the change happened until after the update rolls out.

European alternatives: Self-hosted or EU-hosted solutions where you control the update cycle. Nextcloud, Rocket.Chat, Element (Matrix), and most open-source alternatives let you choose when to update.

6. Communication and Collaboration Platforms

Slack (US, Salesforce-owned), Microsoft Teams (US), Zoom (US), and Google Meet (US) handle your organisation’s most sensitive internal communications: strategy discussions, personnel decisions, client negotiations, legal deliberations.

All of these platforms store message history, call recordings, and shared files on US-controlled infrastructure. All are subject to the CLOUD Act. Some (Teams, Slack) integrate so deeply with the rest of your stack that they function as an operating system for internal work.

European alternatives: Element/Matrix (UK-founded, open protocol, self-hostable, used by the French government, the German military, and NATO), Rocket.Chat (open source, self-hostable), Nextcloud Talk (integrated with Nextcloud, WebRTC-based), Wire (Swiss, used by the Swiss and German governments for secure communication).

Migration difficulty: Medium to Hard. The technical migration is achievable, but chat history, channel structures, and integrations (bots, tabs, connectors) require significant effort to replicate.

7. Source Code and Development Infrastructure

Organisations that build software face an additional control point: their source code and development infrastructure. GitHub (US, Microsoft-owned), GitLab.com (US-hosted SaaS), Bitbucket (US, Atlassian-owned), and AWS CodeCommit (US) all store intellectual property under US jurisdiction.

CI/CD pipelines, container registries, and deployment automation built on these platforms create operational dependencies that go beyond code storage.

European alternatives: GitLab self-managed (open source, can be hosted on EU infrastructure), Gitea (open source, lightweight, self-hosted), Codeberg (German non-profit, Forgejo-based), Hetzner or OVHcloud for underlying infrastructure.

Migration difficulty: Easy to Medium. Git is a distributed version control system; the code itself is trivially portable. CI/CD pipelines and integrations require rebuilding.

8. Payment Processing and Financial Tools

Stripe (US), PayPal (US), and Braintree (US, PayPal-owned) process payments for a large share of European online businesses. These platforms can freeze accounts, withhold funds, or terminate service based on US sanctions, internal risk assessments, or law enforcement requests.

In 2022, PayPal froze accounts of several UK-based organisations based on its own content policies, with no prior notice and limited appeal options. For businesses that depend on a single payment processor, this is an existential risk.

European alternatives: Mollie (Dutch), Adyen (Dutch, publicly traded), Stripe’s EU entity (Ireland-based but still ultimately US-controlled), GoCardless (UK, direct debit focused), Payconiq (Belgian/Luxembourg).

Migration difficulty: Medium. Payment processing integrations touch checkout flows, subscription management, invoicing, and accounting systems. The switch requires careful testing and coordination.

Prioritisation: Where to Start

Not all control points carry equal risk or require equal effort to address. A practical prioritisation:

Fix first (high risk, achievable effort):

  • DNS: move to a European provider this week. Zero downtime, minimal effort.
  • Email: begin evaluating European alternatives at your next contract renewal.

Plan next (high risk, significant effort):

  • Identity: start parallel-running a European identity provider alongside your current one. Do not attempt a hard cutover.
  • Encryption: evaluate client-side encryption options for your most sensitive data categories.

Assess and decide (medium risk, variable effort):

  • Communication platforms: determine whether chat history is critical or whether a clean start is acceptable.
  • Source code: move to self-hosted GitLab if you are building software.
  • Payment processing: evaluate at contract renewal or after any account-level incident.

Accept with documentation (low near-term risk):

  • Update control: document the risk in your DPIA and NIS2 assessment. Self-hosted alternatives exist but require operational maturity.

The goal is not to eliminate every US dependency overnight. The goal is to understand which control points matter most for your organisation and to start reducing the ones that carry the highest risk.

Sovereign Shift maps these control points for your specific stack and delivers a prioritised action plan. See how the audit works →